CVE-2018-3604

Name of the Vulnerable Software and Affected Versions Trend Micro Control Manager version 6.0

Description The issue concerns SQL injection remote code execution vulnerabilities in the Trend Micro Control Manager. Specifically, vulnerabilities exist in various methods, including GetXXX, GetOnetimeSubscription, GetPassword, GetProductServerType, sp DDI GetInterestedIPByJobID2, GetChannelList, GetRuleList, and GetScheduleSubscription. These vulnerabilities could allow a remote attacker to execute arbitrary code on vulnerable installations.

Recommendations For Trend Micro Control Manager version 6.0, consider disabling the affected methods, such as GetXXX(), GetOnetimeSubscription(), GetPassword(), GetProductServerType(), sp DDI GetInterestedIPByJobID2(), GetChannelList(), GetRuleList(), and GetScheduleSubscription(), until a patch is available. Restrict access to the vulnerable sCloudService module to minimize the risk of exploitation. Avoid using vulnerable API endpoints related to these methods until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.